Secure AI Agents.

Find how your agents break.
Fix what matters.

General Analysis helps security teams adversarially test, monitor, and protect AI agents and systems in production.

Schedule a Demo Explore Platform

Platform snapshot

Connected sources

GitHub, cloud, LLM providers

Discovered surface

Models, MCPs, KBs, tool schemas

Active review queue

High-risk agent paths surfaced

Connected Integrations

Discovered Assets

· 6 of 297

filter…

AssetTypeRegionSeenStatus

gpt-4o-mini

OpenAI

Modelus-east-12d agoReview

claude-3-5-sonnet

Anthropic

Modelus-east-15d agoOK

s3://prod-knowledge

AWS

Knowledgeus-west-21h agoHigh risk

monorepo-ai

GitHub

Repoorg/general12h agoOK

mcp · jira

AWS

MCPeu-central3h agoHigh risk

iam · prod-vault

AWS

Permission12 roles2d agoHigh risk

rag/company-docs

Asset

Threats12 view

Show details

Coverage

94%+12%

Audit trail

built by experts from

Agent Systems

Every action leaves a path.

General Analysis maps those paths before attackers do.

Context becomes coverage

A connected view of the system becomes the input for discovery, analysis, and adversarial testing.

How It Works

Discover. Analyze. Red-team.

Discover

See every model, MCP, KB, tool, and permission in your stack

Connect cloud, code, docs, and agent infrastructure. We extract the full inventory of AI assets across your environment so nothing slips through the cracks.

Discover

01GitHub connected

02LLM providers connected

03Cloud runtime connected

24 models discovered

Data sources

GitHub

Connected

Repositories

Workflows

LLM Providers

Connected

System prompts

Tool schemas

OpenAIAnthropicGoogle

Cloud & Runtime

Connected

Cloud logs

Identity & access

awsgcpk8s

Ingesting & normalizing

Securely ingesting and normalizing telemetry from your tools.

Discovered surface

Analyze

Catch AI-specific risks static checks miss

Unverified MCPs, autonomous agents holding production credentials, uncensored models, over-permissive IAM roles — surfaced with concrete evidence and mapped to OWASP LLM Top 10.

Analyze

01Unsafe model from Hugging Face

02Unofficial MCP server

03Lethal trifecta path detected

18 risks found

Scan in progress

$ ga scan --workspace prod-ai --scope all

[12s] discovering model endpoints

[19s] mapping MCP tools and permissions

[26s] checking runtime exposure

Coverage14%

Risks identified

normalized scan

Unsafe model from Hugging Face

mistralai/Mixtral-8x7B-Instruct-v0.1

HIGH

Risky model detected: DeepSeek

deepseek-ai/deepseek-chat

HIGH

Unofficial MCP server

mcp://community-weather-server

MEDIUM

Over-permissive tool schema

filesystem.write + external_request

MEDIUM

Lethal trifecta path detected

Prompt injection · Tool misuse · Data exfiltration

CRITICAL

0 risks foundView all risks

Red-team

Find out what attackers can actually exploit

Launch hundreds of adversarial simulations against any agent system, with OWASP threat tags as targets. Watch in real time what your AI can be coerced into doing.

Red-team

01Prompt injection

02Tool misuse

03Sensitive retrieval attempt

7 exploit chains confirmed

Attack simulation

$ ga redteam --target support-agent --scenario exfiltration

360 generated campaigns across models, MCPs, and runtime permissions

Attempts

Paths

Exploit path

confirmed

Prompt injection

support ticket

Tool misuse

untrusted MCP

Data access

private KB

Exfil attempt

blocked egress

Injected policy override recovered from ticket body

Agent selected untrusted MCP server with network access

Sensitive retrieval attempted before outbound tool call

LatestWork

View all blog posts

Supabase MCP can leak your entire SQL database

RESEARCH

2026-04-10•8 min read

Supabase MCP can leak your entire SQL database

In this post, we show how an attacker can exploit Supabase’s MCP integration to leak a developer’s private SQL tables. Model Context Protocol (MCP) has emerged as a standard way for LLMs to interact with external tools. While this unlocks new capabilities, it also introduces new risk surfaces.

50+ customer service agents offer $10,000,000+ in fabricated benefits

RESEARCH

2026-03-22•10 min read

50+ customer service agents offer $10,000,000+ in fabricated benefits

50+ customer service agents offer a combined $10,000,000+ in fabricated benefits.

PRODUCT UPDATES

2025-10-01•7 min read

Guardrail Release

Open-source release of the GA Guard series, a family of safety classifiers that have been providing comprehensive protection for enterprise AI deployments for the past year.

Claude Jailbroken to Mint Unlimited Stripe Coupons

RESEARCH

2025-07-16•7 min read

Claude Jailbroken to Mint Unlimited Stripe Coupons

We reveal a powerful metadata-spoofing attack that exploits Claude's iMessage integration to mint unlimited Stripe coupons or invoke any MCP tool with arbitrary parameters, without alerting the user.

Exploiting Partial Compliance: The Redact-and-Recover Jailbreak

RESEARCH

2025-07-07•8 min read

Exploiting Partial Compliance: The Redact-and-Recover Jailbreak

We present the Redact & Recover (RnR) Jailbreak, a novel attack that exploits partial compliance behaviors in frontier LLMs to bypass safety guardrails through a two-phase decomposition strategy.

Case Study: Light-Weight Policy Moderators for Indeed Job Postings

RESEARCH

2025-05-25•8 min read

Case Study: Light-Weight Policy Moderators for Indeed Job Postings

Our compact policy moderation models achieve human-level performance at <1% per-review cost, outperforming GPT-4o and o4‑mini on F1 while running faster and cheaper.

FeaturedMedia

Fresh press mentions, walkthroughs, and partner spotlights about how teams use General Analysis to harden their AI systems.

Tansive

How-To

Runtime defense against Supabase prompt injection

Tansive's blog builds on our research and implements a working defense against the Supabase MCP exploit using its open‑source AI‑agent runtime. The article recaps how an attacker's support‑ticket prompt tricked Cursor's AI into leaking the `integration_tokens` table, then demonstrates how Tansive enforces role‑based policies and input constraints to block such queries. Detailed examples show policies that restrict `execute_sql` capabilities, configure per‑role MCP endpoints and generate tamper‑evident audit logs.

Visit story

Simon Willison

Blog Feature

Exfiltration via the lethal trifecta

AI blogger Simon Willison flags a dangerous combination he calls the “lethal trifecta” – granting an AI agent access to private SQL data, exposing it to untrusted user content and giving it a way to communicate externally. He points to our Supabase MCP attack where a support ticket contained hidden instructions telling the model to read the `integration_tokens` table and insert the secrets back into the ticket, which the agent obediently did. The post is a warning that agents with `service_role` privileges and no sense of context boundaries can be tricked into exfiltrating entire databases.

Visit story

The Primeagen

Video Feature

Supabase prompt injection walkthrough

This video walks through our Supabase MCP exploit. A malicious support‑ticket instructs Cursor’s AI assistant to `SELECT` all rows from a sensitive `integration_tokens` table and `INSERT` them back into the ticket. Because the agent runs with a full `service_role` key that bypasses Row‑Level Security, it dutifully leaks every secret token. The walkthrough shows the attack flow and explains why untrusted inputs plus over‑privileged agents equal catastrophic data leaks.

Visit story

Weights & Biases

Case Study

Defending against prompt injection

Weights & Biases builds on our Supabase research to show how prompt‑injection attacks abuse the Model Context Protocol. It reproduces the exfiltration and then outlines layered defenses: issuing minimal‑scope credentials, using a gateway to enforce per‑table policies, running MCP servers in read‑only mode to eliminate write‑based exfiltration, filtering untrusted inputs and sandboxing model outputs. The article calls our post an outstanding piece of research and highlights why MCP servers must adopt defense‑in‑depth.

Visit story

GitHub

Open Source

The Jailbreak Cookbook repository

General Analysis’s open‑source "Jailbreak Cookbook" collects dozens of jailbreaks and prompt‑injection techniques along with unified infrastructure to run them. The blog post introducing it notes that we provide implementations for most listed jailbreaks in a single repo and supply full documentation for researchers and red‑teamers. It’s a reference library and playground for anyone building AI security tools.

Visit story

Together AI

Partnership

Stress‑testing open models with GA

Together AI announces a partnership with General Analysis to stress‑test open‑source language models. The post explains that GA’s programmable red‑teaming framework probes models across prompt‑injection, jailbreak and targeted‑failure scenarios, revealing concrete vulnerabilities and mitigation strategies. Running campaigns on Together’s high‑throughput inference API allows evaluations that process tens of billions of tokens, and GA’s open‑source library now natively supports Together’s endpoints.

Visit story

Apideck

Security Brief

The security landscape of MCP

Apideck’s industry‑insights blog surveys the state of Model Context Protocol security in 2025. It highlights real‑world vulnerabilities—prompt injection, tool poisoning, over‑privileged access and token leakage—and cites exploits observed in GitHub, Supabase and other servers. The post emphasises that attackers can hijack an AI’s behaviour, exfiltrate data or trigger malicious actions through MCP connections and explains how a new OAuth 2.0‑based specification aims to tighten authorization.

Visit story

Pomerium

Zero Trust

Lessons from the Supabase leak

Pomerium’s write‑up dissects our Supabase MCP incident as a classic confused‑deputy problem. An LLM agent running with the full `service_role` key ingested a malicious support message and executed the embedded SQL to select every row from the `integration_tokens` table and write them back to the ticket. Because Row‑Level Security is bypassed by service keys, no permission checks stopped the leak. The article urges using least‑privilege credentials, read‑only MCP servers and gateway‑enforced policies to prevent similar breaches.

Visit story

Composio

Playbook

MCP vulnerabilities every developer should know

Composio details multiple classes of MCP vulnerabilities and emphasises that simple guardrails aren’t enough. It warns that malicious tool descriptions can silently inject harmful prompts, many servers lack proper OAuth handling, supply‑chain risks are underestimated and real‑world failures like the Supabase lethal‑trifecta attack and Asana and mcp‑remote command‑injection flaws have already happened. The article encourages developers to vet third‑party tools and follow the new MCP security spec.

Visit story

Max Planck

Reference

Capability‑based scaling laws for LLM red‑teaming

Researchers at the Max Planck Institute model red‑teaming as a function of the capability gap between attacker and target models. Their study evaluates over 500 attacker–target pairs using LLM‑based jailbreak attacks and observes that more capable models are better attackers, while attack success drops sharply once the target’s capability exceeds the attacker’s. The paper derives a scaling law predicting attack success based on this capability gap and discusses how fixed‑capability attack models may become ineffective against future models.

Visit story

Oso

Blog Feature

Why LLM authorization is hard

Oso uses the Supabase exploit to explain why LLM authorization is challenging. It notes that the attack hinged on three issues: accepting untrusted input, conflating instructions with data and using an over‑privileged database account. The post argues that prompt‑injection detection is extremely hard and urges designers to narrow effective permissions and prevent AI agents from reading sensitive tables in the first place.

Visit story

Alpha Insights

Perspective

MCP servers: read‑only is non‑negotiable

Alpha Insights argues that MCP servers must default to read‑only. After the Supabase incident it notes that Supabase’s documentation now recommends read‑only mode by default and explains that 43 % of production MCP servers have command‑injection vulnerabilities. The article explains how MCP servers should act as views, not controllers: allowing only SELECT queries prevents attacks from dropping or modifying tables. It concludes that combining privileged access, untrusted input and an exfiltration channel—the lethal trifecta—creates a backdoor.

Visit story

ivision Research

Security Talk

AI gets a library card: security ramifications of MCP

ivision’s presentation on Model Context Protocol security explains that AI context consists of system prompts, conversation history, tool calls and user messages, and that mixing these channels can expose sensitive data. It highlights Simon Willison’s lethal‑trifecta framework—access to private data, external communication and untrusted content—and uses the Supabase ticketing example where a malicious message told an `execute_sql()` tool to fetch integration keys, completing all three elements. The talk urges practitioners to test MCP servers rigorously and avoid configurations that combine the trifecta.

Visit story

The CyberWire

Show Notes

FAIK Files episode notes on jailbreaks

Show notes for The CyberWire’s FAIK Files episode link to our technical breakdown of the iMessage Stripe exploit. In that attack, Claude was jailbroken to mint unlimited Stripe discount coupons; the podcast notes direct listeners to our General Analysis post for the full details.

Visit story

Loading page...

Find how your agents break.Fix what matters.

Connected Integrations

Discovered Assets

Discover. Analyze. Red-team.

See every model, MCP, KB, tool, and permission in your stack

GitHub

LLM Providers

Cloud & Runtime

Catch AI-specific risks static checks miss

Find out what attackers can actually exploit

LatestWork

Supabase MCP can leak your entire SQL database

50+ customer service agents offer $10,000,000+ in fabricated benefits

Guardrail Release

Claude Jailbroken to Mint Unlimited Stripe Coupons

Exploiting Partial Compliance: The Redact-and-Recover Jailbreak

Case Study: Light-Weight Policy Moderators for Indeed Job Postings

FeaturedMedia

Runtime defense against Supabase prompt injection

Exfiltration via the lethal trifecta

Supabase prompt injection walkthrough

Defending against prompt injection

The Jailbreak Cookbook repository

Stress‑testing open models with GA

The security landscape of MCP

Lessons from the Supabase leak

MCP vulnerabilities every developer should know

Capability‑based scaling laws for LLM red‑teaming

Why LLM authorization is hard

MCP servers: read‑only is non‑negotiable

AI gets a library card: security ramifications of MCP

FAIK Files episode notes on jailbreaks

Find how your agents break.Fix what matters.

Connected Integrations

Discovered Assets

Discover. Analyze. Red-team.

See every model, MCP, KB, tool, and permission in your stack

GitHub

LLM Providers

Cloud & Runtime

Catch AI-specific risks static checks miss

Find out what attackers can actually exploit

LatestWork

Supabase MCP can leak your entire SQL database

50+ customer service agents offer $10,000,000+ in fabricated benefits

Guardrail Release

Claude Jailbroken to Mint Unlimited Stripe Coupons

Exploiting Partial Compliance: The Redact-and-Recover Jailbreak

Case Study: Light-Weight Policy Moderators for Indeed Job Postings

FeaturedMedia

Runtime defense against Supabase prompt injection

Exfiltration via the lethal trifecta

Supabase prompt injection walkthrough

Defending against prompt injection

The Jailbreak Cookbook repository

Stress‑testing open models with GA

The security landscape of MCP

Lessons from the Supabase leak

MCP vulnerabilities every developer should know

Capability‑based scaling laws for LLM red‑teaming

Why LLM authorization is hard

MCP servers: read‑only is non‑negotiable

AI gets a library card: security ramifications of MCP

FAIK Files episode notes on jailbreaks

Find how your agents break.
Fix what matters.

Find how your agents break.
Fix what matters.